October 2011 - openldap-technical

by Venish Khant

Hi all I am using cpan Net::LDAP module to access LDAP entries. I want to search LDAP entries using Net::LDAP search method. When I do search, I want some limited number of entries from search result, for this(searching) process I am using Net::LDAP::Control::VLV module. But I get error on VLV response control. Please, any one have idea about this error. * Error:* Died at vlv.pl line 50, This is my example. I changed the font style of line 50 #!/usr/bin/perl -w use Net::LDAP; use Net::LDAP::Control::VLV; use Net::LDAP::Constant qw( LDAP_CONTROL_VLVRESPONSE ); use Net::LDAP::Control::Sort; sub procentry { my ( $mesg, $entry) = @_; # Return if there is no entry to process if ( !defined($entry) ) { return; } print "dn: " . $entry->dn() . "\n"; @attrs = $entry->attributes(); foreach $attr (@attrs) { #printf("\t%s: %s\n", $attr, $entry->get_value($attr)); $attrvalue = $entry->get_value($attr,asref=>1); #print $attr.":". $entry->get_value($attr)."\n"; foreach $value(@$attrvalue) { print "$attr: $value\n"; } } $mesg->pop_entry; print "\n"; } $ldap = Net::LDAP->new( "localhost" ); # Get the first 20 entries $vlv = Net::LDAP::Control::VLV->new( before => 0, # No entries from before target entry after => 19, # 19 entries after target entry content => 0, # List size unknown offset => 1, # Target entry is the first ); my $sort = Net::LDAP::Control::Sort->new( order => 'cn' ); @args = ( base => "dc=example,dc=co,dc=in", scope => "subtree", filter => "(objectClass=inetOrgPerson)", callback => \&procentry, # Call this sub for each entry control => [ $sort, $vlv ], ); $mesg = $ldap->search( @args ); # Get VLV response control *($resp) = $mesg->control( LDAP_CONTROL_VLVRESPONSE ) or die;* $vlv->response( $resp ); # Set the control to get the last 20 entries $vlv->end; $mesg = $ldap->search( @args ); # Get VLV response control ($resp) = $mesg->control( LDAP_CONTROL_VLVRESPONSE ) or die; $vlv->response( $resp ); # Now get the previous page $vlv->scroll_page( -1 ); $mesg = $ldap->search( @args ); # Get VLV response control ($resp) = $mes # Now page with first entry starting with "B" in the middle $vlv->before(9); # Change page to show 9 before $vlv->after(10); # Change page to show 10 after $vlv->assert("B"); # assert "B" $mesg = $ldap->search( @args );g->control( LDAP_CONTROL_VLVRESPONSE ) or die; $vlv->response( $resp ); -- Venish Khant www.deeproot.co.in

7 years

4
11
0 / 0

Using NSS

by Braden McDaniel

I am trying to get OpenLDAP (2.4.24) working with NSS on Fedora 15. In cn=config.ldif I have: olcTLSCACertificatePath: /etc/pki/nssdb olcTLSCertificateFile: endoframe I have used certutil to create a self-signed certificate: # certutil -d /etc/pki/nssdb -L Certificate Nickname Trust Attributes SSL,S/MIME,JAR/XPI endoframe Cu,Cu,Cu But this doesn't appear to be working: $ ldapsearch -H ldaps://rail -b dc=endoframe,dc=net -x -d1 ldap_url_parse_ext(ldaps://rail) ldap_create ldap_url_parse_ext(ldaps://rail:636/??base) ldap_sasl_bind ldap_send_initial_request ldap_new_connection 1 1 0 ldap_int_open_connection ldap_connect_to_host: TCP rail:636 ldap_new_socket: 3 ldap_prepare_socket: 3 ldap_connect_to_host: Trying ::1 636 ldap_pvt_connect: fd: 3 tm: -1 async: 0 ldap_close_socket: 3 ldap_new_socket: 3 ldap_prepare_socket: 3 ldap_connect_to_host: Trying 127.0.0.1:636 ldap_pvt_connect: fd: 3 tm: -1 async: 0 ldap_close_socket: 3 ldap_err2string ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1) slapd is running: # systemctl status slapd.service slapd.service - LSB: starts and stopd OpenLDAP server daemon Loaded: loaded (/etc/rc.d/init.d/slapd) Active: active (running) since Wed, 05 Oct 2011 02:24:11 -0400; 3 weeks and 0 days ago Main PID: 1429 (slapd) CGroup: name=systemd:/system/slapd.service └ 1429 /usr/sbin/slapd -h ldap:/// -u ldap Any ideas of what I might be doing wrong, or where I should be looking to debug this? -- Braden McDaniel <braden(a)endoframe.com>

11 years, 3 months

8
19
0 / 0

Ldap is up, trying to get tls working.

by John Tobin

Folks, I have openldap up, it supports vsftpd, sshd, and 5 client linux machines for remote login. I would like to get tls working. I would support either ldaps [port 636], or the tls available on port 389, I am aware of the differences in implementation, and the fact that an administrator effectively has to make a decision to support one or the other in most cases. Currently: I have slapd running configured for tls under ldap [std port 389]. I am testing it on the slapd machine, with a client on the same machine. I am pointing to the same cacertificate in slapd.d [cn=config.ldif] and ldap.conf. With that in place, and the ldap.conf below: nightmare:/etc # cat ldap.conf base dc=dark,dc=net uri ldap://nightmare.dark.net # scope sub # binddn "cn=admin,dc=dark,dc=net" # bindpw jackie bind_policy soft # The user ID attribute (defaults to uid) pam_login_attribute uid pam_lookup_policy yes pam_password exop nss_schema rfc2307bis tls_reqcert never pam_filter objectClass=posixAccount ldap_version 3 nss_map_attribute uniqueMember uniqueMember ssl start_tls tls_cacert /var/lib/ldap/cacert.pem tls_cert /var/lib/server.crt tls_key /var/lib/ldap/server.key I have run ldapsearch: nightmare:/media # ldapsearch -v -x -H ldap://nightmare.dark.net:389/ -b "dc=dark,dc=net" -Z ldap_initialize( ldap://nightmare.dark.net:389/??base ) filter: (objectclass=*) requesting: All userApplication attributes # extended LDIF # # LDAPv3 # base <dc=dark,dc=net> with scope subtree # filter: (objectclass=*) # requesting: ALL # # dark.net dn: dc=dark,dc=net dc: dark o: dark objectClass: organization objectClass: dcObject # admin, dark.net dn: cn=admin,dc=dark,dc=net objectClass: organizationalRole cn: admin # Default Policy, dark.net dn: cn=Default Policy,dc=dark,dc=net objectClass: namedObject objectClass: pwdPolicy cn: Default Policy # People, dark.net dn: ou=People,dc=dark,dc=net objectClass: organizationalUnit ou: People description: People is used in mapping the /etc/passwd entries # jtobin, People, dark.net dn: uid=jtobin,ou=People,dc=dark,dc=net uid: jtobin cn: John C. Tobin objectClass: account objectClass: posixAccount objectClass: top objectClass: shadowAccount loginShell: /bin/ksh uidNumber: 5000 gidNumber: 100 homeDirectory: /home/jtobin gecos: John C. Tobin # defaultDNS, dark.net dn: cn=defaultDNS,dc=dark,dc=net cn: defaultDNS objectClass: top objectClass: suseDnsConfiguration suseDefaultBase: ou=DNS,dc=dark,dc=net # DNS, dark.net dn: ou=DNS,dc=dark,dc=net objectClass: top objectClass: organizationalUnit ou: DNS # search result search: 3 result: 0 Success # numResponses: 8 # numEntries: 7 nightmare:~ # ##### So I am assuming the ldapserver on ldap://nightmare.dark.net:389/ with tls works. [I looked through the message output in /var/log/message and see the ³STARTTLS² and ³TLS established tls_ssf=256²] I have done a number of similar ldapsearches. This appears to work correctly. On the client machine I now do : nightmare:/media # su - jtobin su: user jtobin does not exist nightmare:/media # /var/log/message - output...... nightmare:/var/log # tail f |grep I tls Oct 28 11:29:01 nightmare slapd[11118]: conn=1217 op=0 STARTTLS Oct 28 11:29:01 nightmare worker_nscd: nss-ldap: do_open: do_start_tls failed:stat=-1 Oct 28 11:29:01 nightmare slapd[11118]: connection_read(14): TLS accept failure error=-1 id=1217, closing Oct 28 11:29:01 nightmare slapd[11118]: conn=1217 fd=14 closed (TLS negotiation failure) Oct 28 11:29:01 nightmare slapd[11118]: conn=1218 op=0 STARTTLS Oct 28 11:29:01 nightmare worker_nscd: nss-ldap: do_open: do_start_tls failed:stat=-1 Oct 28 11:29:01 nightmare slapd[11118]: connection_read(14): TLS accept failure error=-1 id=1218, closing Oct 28 11:29:01 nightmare slapd[11118]: conn=1218 fd=14 closed (TLS negotiation failure) [if you want more of the log, I can obviously get it, but these appear to be the important parts.] This is probably a configuration error, or a logical / architecture misunderstanding, ok, I m a newbie. Do I have certificates incorrectly generated? [certificates were generated via http://www.openldap.org/faq/data/cache/185.html]. What did I do wrong? This is running openldap 2.4.26 off of Suse 12.1 milestone 5. Thanks in advance. tob

11 years, 5 months

4
6
0 / 0

Syncrepl SSL fail

by Hugo Deprez

Dear community, I setup a syncrepl between my master openldap server and a consumer. I am trying to use SSL for this syncrepl I got the following error in the log when I start slapd on the consumer : Oct 13 17:04:59 server slapd[16905]: slapd starting Oct 13 17:04:59 server slapd[16905]: slap_client_connect: URI=ldaps://ldap.mydomain.fr:1024/ DN="cn=syncrepluser,o=others,dc=mydomain,dc=fr" ldap_sasl_bind_s failed (-1) Oct 13 17:04:59 server slapd[16905]: do_syncrepl: rid=003 rc -1 retrying (9 retries left) I don't understand why it is failing as a single ldapsearch from the same server with the syncrepl user is working. here is my syncrepl configuration : Syncrepl rid=003 provider=ldaps://ldap.mydomain.fr:1024/ type=refreshOnly retry="60 10 600 +" interval=00:00:00:10 searchbase="dc=mydomain,dc=fr" scope=sub schemachecking=on bindmethod=simple binddn="cn=syncrepluser,o=others,dc=mydomain,dc=fr" credentials=my_password Any idea ? Regards, Hugo

11 years, 5 months

8
14
0 / 0

Searches causing disk writes

by Adam Wale

Hi, I'm observing an issue where a large number of searches against an openldap server results in a large amount of disk writes occurring. I have 10 hosts performing the same workload, the hosts are running slapd 2.4.21 under Ubuntu Lucid. If I stop searching against one of the hosts I see disk write activity from that host drop dramatically. I initially noticed the high write activity in the VMware stats for the hosts and have used iostat on the hosts to gather further info. The hosts being searched are slaves in a slurpd replication environment; they do not have replication logging enabled, the directory is using a hdb backend. Over a 5 minute period the average disk write activity is 8517KB/s when being searched, and 41KB/s when not being searched; over the same time period the average disk read activity is 8KB/s. When performing searches against a host an average workload is 300 searches/second, average entry size is 450bytes, and average entries returned is 30. The hosts have plenty of free RAM and are not using any swap. I have disabled the monitor backend but haven't seen much of an improvement by doing this, given the monitor database is instantiated at startup is this stored in memory? (if not, why not make that an option?) Does anyone have any ideas as to why reading from the directory would be causing disk writes at such a high rate? Thanks, Adam

11 years, 6 months

7
10
0 / 0

LD_LIBRARY_PATH exported but libdb-4.6.so not found

by Pablo Chamorro C.

I updated from 2.4.21 to 2.4.23 in some old Fedoras and also in a CentOS 5.4. Before compiling, I run: export LD_LIBRARY_PATH=/usr/local/BerkeleyDB.4.6/lib export CPPFLAGS="-I/usr/local//BerkeleyDB.4.6/include" export LDFLAGS="-L/usr/local/BerkeleyDB.4.6/lib" and it compiles ok. But after installed, in 3 out 4 of the used servers, slapd doesn't start unless I execute first: export LD_LIBRARY_PATH=/usr/local/BerkeleyDB.4.6/lib Attached, the output of ldd /usr/local/libexec/slapd, before and after running export LD_LIBRARY_PATH=/usr/local/BerkeleyDB.4.6/lib. In short: without LD_LIBRARY_PATH defined: libdb-4.6.so => not found with LD_LIBRARY_PATH as above: libdb-4.6.so => /usr/local/BerkeleyDB.4.6/lib/libdb-4.6.so (0x00002b4eb2c16000) Could you please explain me why this might be happening? Is this a bug? This issue ocurred to me in at least 3 server, but I have another CentOS 5.4, where the compilation and the install process run just fine, and I didn't need that workaround. Thank you, Pablo Chamorro La informaci�n contenida en este mensaje y cualquiera de sus adjuntos es confidencial, para el uso exclusivo de la persona o entidad destinataria. Si usted ha recibido este mensaje por equivocaci�n, se le notifica que no est� autorizado para revisarlo, reenviarlo, imprimirlo, copiarlo o distribuirlo de forma parcial o total; por favor comunique el error a la persona que lo env�a y elim�nelo. Las opiniones y puntos de vista presentados en este mensaje son responsabilidad de quien firma el mensaje y no representan necesariamente la posici�n y puntos de vista de INGEOMINAS. Este mensaje de correo electr�nico ha sido analizado por el antivirus Mcafee. Confidentiality Notice The information in this message and any attachments is confidential, it is for exclusive use of the person or entity to which it is addressed. If you have received this message in error, you are notified that you are not authorized to review, re-transmit, print out, disseminate, copy or distribute it in partial or total way; please communicate the mistake to the person who sent this message and delete it. The opinions and points of view stated in this message with responsibility by who signed the message, do not necessarily represent the opinion or point of view of INGEOMINAS. This electronic mail message was scanned by the Mcafee anti-virus.

11 years, 6 months

2
2
0 / 0

Password policy complexity

by Hugo Deprez

Dear community, I would like to specify the complexity of the password for users. For exemple a password must contain : one specific character such as : !£"$%^&*()-_+=:;'@~#?<> one capital letter etc... The password policy overlay only authorize to specify the number of character. Is that possible ? Regards, Hugo

11 years, 7 months

2
4
0 / 0

Pb with sasl2 digest - md5 and openldap

by bea chataigne

On a redhat 6, openldap 2.4 and cyrus-sasl 2.1.23. I create a sasldb syncuser user, in my slapd.d configuration I add: OlcAuthzRegexp: {0} " uid=syncuser, cn=DIGEST-MD5, cn=auth " " cn=syncuser, dc=xxx, dc=fr " I give the right of reading has the utisilsateur ldap on sasldb. PB during a ldapsearch: # ldapsearch -Y DIGEST-MD5-U syncuser ldap_sasl_interactive_bind_s: Invalid credentials ( 49 ) additional information: SASL ( 13 ): use(wear out) not found: no secret in database Slapd in debug mode(fashion) sends back(dismisses) to me: slapd[2608]: do_bind: dn () SASL mech DIGEST-MD5 slapd[2608]:slapd[2608]: ==> sasl_bind: dn="" mech=<continuing> datalen=277 slapd[2608]: SASL [conn=1002] Debug: DIGEST-MD5 server step 2 slapd[2608]: SASL Canonicalize [conn=1002]: authcid="syncuser" slapd[2608]: slap_sasl_getdn: conn 1002 id=syncuser [len=8] slapd[2608]: slap_sasl_getdn: u:id converted to uid=syncuser,cn=DIGEST-MD5,cn=auth slapd[2608]: >>> dnNormalize: <uid=syncuser,cn=DIGEST-MD5,cn=auth> slapd[2608]: <<< dnNormalize: <uid=syncuser,cn=digest-md5,cn=auth> slapd[2608]: ==>slap_sasl2dn: converting SASL name uid=syncuser,cn=digest-md5,cn=auth to a DN slapd[2608]: [rw] authid: "uid=syncuser,cn=digest-md5,cn=auth" -> "cn=syncuser,dc=xxx,dc=fr" slapd[2608]: slap_parseURI: parsing cn=syncuser,dc=xxx,dc=fr slapd[2608]: >>> dnNormalize: <cn=syncuser,dc=xxx,dc=fr> slapd[2608]: <<< dnNormalize: <cn=syncuser,dc=xxx,dc=fr> slapd[2608]: <==slap_sasl2dn: Converted SASL name to cn=syncuser,dc=xxx,dc=fr slapd[2608]: slap_sasl_getdn: dn:id converted to cn=syncuser,dc=xxx,dc=fr slapd[2608]: SASL Canonicalize [conn=1002]: slapAuthcDN="cn=syncuser,dc=xxx,dc=fr" slapd[2608]: => hdb_search slapd[2608]: daemon: activity on 1 descriptor slapd[2608]: daemon: activity on: slapd[2608]: slapd[2608]: daemon: epoll: listen=7 active_threads=1 tvp=zero slapd[2608]: daemon: epoll: listen=8 active_threads=1 tvp=zero slapd[2608]: daemon: epoll: listen=9 active_threads=1 tvp=zero slapd[2608]: daemon: epoll: listen=10 active_threads=1 tvp=zero slapd[2608]: bdb_dn2entry("cn=syncuser,dc=xxx,dc=fr") slapd[2608]: => hdb_dn2id("cn=syncuser,dc=xxx,dc=fr") slapd[2608]: <= hdb_dn2id: get failed: DB_NOTFOUND: No matching key/data pair found (-30988) slapd[2608]: => access_allowed: disclose access to "dc=xxx,dc=fr" "entry" requested slapd[2608]: => dnpat: [5] uid=([^,].*),ou=People,dc=xxx,dc=fr nsub: 1 slapd[2608]: => dnpat: [6] uid=([^,].*),ou=People,dc=xxx,dc=fr nsub: 1 slapd[2608]: => dn: [7] ou=people,dc=xxx,dc=fr slapd[2608]: => dn: [8] ou=admin,dc=xxx,dc=fr slapd[2608]: => dn: [9] ou=services,dc=xxx,dc=fr slapd[2608]: => dnpat: [10] ou=groups,ou=(.*),ou=web,dc=xxx,dc=fr nsub: 1 slapd[2608]: => dnpat: [11] ou=(.*),ou=web,dc=xxx,dc=fr nsub: 1 slapd[2608]: => acl_get: [12] attr entry slapd[2608]: => acl_mask: access to entry "dc=xxx,dc=fr", attr "entry" requested slapd[2608]: => acl_mask: to all values by "", (=0) slapd[2608]: <= check a_dn_pat: * slapd[2608]: <= acl_mask: [2] applying read(=rscxd) (stop) slapd[2608]: <= acl_mask: [2] mask: read(=rscxd) slapd[2608]: => slap_access_allowed: disclose access granted by read(=rscxd) slapd[2608]: => access_allowed: disclose access granted by read(=rscxd) slapd[2608]: send_ldap_result: conn=1002 op=1 p=3 slapd[2608]: send_ldap_result: err=10 matched="dc=xxx,dc=fr" text="" slapd[2608]: SASL Canonicalize [conn=1002]: authzid="syncuser" slapd[2608]: SASL [conn=1002] Failure: no secret in database slapd[2608]: send_ldap_result: conn=1002 op=1 p=3 slapd[2608]: send_ldap_result: err=49 matched="" text="SASL(-13): user not found: no secret in database" slapd[2608]: send_ldap_response: msgid=2 tag=97 err=49 slapd[2608]: conn=1002 op=1 RESULT tag=97 err=49 text=SASL(-13): user not found: no secret in database slapd[2608]: <== slap_sasl_bind: rc=49 slapd[2608]: daemon: activity on 1 descriptor slapd[2608]: daemon: activity on: slapd[2608]: 31r Thank you for your suggestions. B Chataigne

11 years, 7 months

2
2
0 / 0

directory performance on modifytimestamp and createtimestamp

by Flack, Simon

All, Has anyone tried creating an index in openldap to speed-up inequality searches ( eg of the form modifyTimestamp>=20111025162408Z ) on the modifytimestamp or createtimestamp attributes ? If so, what type of index did you create , did openldap perform reads faster than with no index and did the presence of the index slow down writes to openldap appreciably ? Many Thanks, Simon Flack. This e-mail has been scanned for viruses by the Cable&Wireless Worldwide e-mail security system. For more information on a proactive managed e-mail secure service, visit http://www.cw.com/managed-exchange The information contained in this e-mail is confidential and may also be subject to legal privilege. It is intended only for the recipient(s) named above. If you are not named above as a recipient, you must not read, copy, disclose, forward or otherwise use the information contained in this email. If you have received this e-mail in error, please notify the sender (whose contact details are above) immediately by reply e-mail and delete the message and any attachments without retaining any copies. Cable & Wireless Worldwide plc Registered in England and Wales. Company Number 07029206 Registered office: Liberty House, 76 Hammersmith Road, London W14 8UD, England

11 years, 7 months

2
1
0 / 0

[Autofs for Linux and OSX] back-relay ? aliases ?

by Frava

Hello, I'm configuring Autofs maps via OpenLDAP for some OS X (10.5/6/7) and Linux CentOS (5/6) boxes, and I'm running into a little problem. OS X needs to have an "automountMapName=auto_master" and "automountMapName=auto_home" located in "cn=automountMap,dc=subnet,dc=example,dc=com" Linux needs to have an "automountMapName=auto.master" and "automountMapName=auto.home" located wherever I want in "dc=subnet,dc=example,dc=com" The entries contained in "automountMapName=auto_home" and "automountMapName=auto.home" will be exactly the same ones; SO what is the best way to implement it without duplicate them ? Using aliases or rwm+relay ? Cheers, Rafael.

11 years, 7 months

3
4
0 / 0

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

openldap-technical October 2011